File name:

pia-windows-x64-3.6.1-08339.exe

Full analysis: https://app.any.run/tasks/1bebaa94-43b2-404e-9c1d-eac151ff830f
Verdict: Malicious activity
Analysis date: December 19, 2024, 20:25:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

57644ED54E9AD4D6686B0FAAB7BFA4DB

SHA1:

B0195D1AE789ED8C2A26DDD78FE0E5BF8116B1F5

SHA256:

B407C39D82398AFF52602AE98A2B7CD904023A5F6D1E88416DC30B2C31A3CF56

SSDEEP:

196608:j8TwQn3fOsOurt8cw1Uaa2MyRcjW3Bs79KuKzBJ4Z/M0:j8TwGOsXGdT3BsZxKzbI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • pia-wgservice.exe (PID: 6824)
      • pia-windows-x64-3.6.1-08339.exe (PID: 6528)
      • pia-service.exe (PID: 6756)
      • pia-client.exe (PID: 6956)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)

    • Drops a system driver (possible attempt to evade defenses)

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)

    • Executable content was dropped or overwritten

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)

    • Executes as Windows Service

      • pia-service.exe (PID: 6756)

    • The process drops C-runtime libraries

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)

    • Creates a software uninstall entry

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)

    • Reads security settings of Internet Explorer

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)

    • Detected use of alternative data streams (AltDS)

      • pia-client.exe (PID: 6956)

  • INFO

    • Creates files in the program directory

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)
      • pia-service.exe (PID: 6756)

    • Reads the computer name

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)
      • pia-service.exe (PID: 6756)
      • pia-wgservice.exe (PID: 6824)
      • pia-client.exe (PID: 6956)

    • The sample compiled with english language support

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)

    • Checks supported languages

      • pia-service.exe (PID: 6756)
      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)
      • pia-wgservice.exe (PID: 6824)
      • pia-client.exe (PID: 6956)

    • Reads the time zone

      • pia-service.exe (PID: 6756)

    • Process checks computer location settings

      • pia-service.exe (PID: 6756)

    • Creates files or folders in the user directory

      • pia-client.exe (PID: 6956)

    • Reads the software policy settings

      • pia-service.exe (PID: 6756)

    • Reads the machine GUID from the registry

      • pia-service.exe (PID: 6756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:02 09:42:04+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 346624
InitializedDataSize: 24613888
UninitializedDataSize: -
EntryPoint: 0x2e424
OSVersion: 10
ImageVersion: -
SubsystemVersion: 10
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
6
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start pia-windows-x64-3.6.1-08339.exe pia-service.exe pia-wgservice.exe no specs conhost.exe no specs pia-client.exe no specs pia-windows-x64-3.6.1-08339.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6528"C:\Users\admin\Desktop\pia-windows-x64-3.6.1-08339.exe" C:\Users\admin\Desktop\pia-windows-x64-3.6.1-08339.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\pia-windows-x64-3.6.1-08339.exe
c:\windows\system32\ntdll.dll
6668"C:\Users\admin\Desktop\pia-windows-x64-3.6.1-08339.exe" C:\Users\admin\Desktop\pia-windows-x64-3.6.1-08339.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\pia-windows-x64-3.6.1-08339.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6756"C:\Program Files\Private Internet Access\pia-service.exe"C:\Program Files\Private Internet Access\pia-service.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\program files\private internet access\pia-service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
6824"C:\Program Files\Private Internet Access\pia-wgservice.exe" /cleaninterface wgpia0C:\Program Files\Private Internet Access\pia-wgservice.exepia-service.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
1
Modules
Images
c:\program files\private internet access\pia-wgservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
6832\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepia-wgservice.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6956"C:\Program Files\Private Internet Access\pia-client.exe" --clear-cacheC:\Program Files\Private Internet Access\pia-client.exepia-windows-x64-3.6.1-08339.exe
User:
admin
Company:
Private Internet Access Incorporated
Integrity Level:
MEDIUM
Description:
Private Internet Access
Version:
3,6,1,100
Modules
Images
c:\program files\private internet access\pia-client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
91 659
Read events
91 649
Write events
10
Delete events
0

Modification events

(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piavpn
Operation:writeName:URL Protocol
Value:
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:DisplayName
Value:
Private Internet Access
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:InstallLocation
Value:
C:\Program Files\Private Internet Access
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:UninstallString
Value:
C:\Program Files\Private Internet Access\uninstall.exe
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:Publisher
Value:
Private Internet Access, Inc.
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:DisplayVersion
Value:
3.6.1+08339
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Private Internet Access\pia-client.exe
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:URLInfoAbout
Value:
https://www.privateinternetaccess.com/
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:EstimatedSize
Value:
85210
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:NoModify
Value:
1
Executable files
149
Suspicious files
351
Text files
404
Unknown types
1

Dropped files

PID
Process
Filename
Type
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\brand.txttext
MD5:1A212F8DB4799461E7B4EA4C5316BD4E
SHA256:0CCEDD0B0F8D3B7812836DF5B13D7F24935863F9D1302513E72EDF3ACA2B2261
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\QtQuick\Controls\Basic\Action.qmltext
MD5:D99A005D11045BD0B7848A61FF055E80
SHA256:C2DDC06F47895B24BD6DF723F89D0A488CA4F459F327D50C9A3A9F3D2C7757AB
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\modern_servers.jsontext
MD5:3E9EA64409B60C7D0A0D18EC6B9CA8E1
SHA256:EFE8645165FD6BE6EF179553458A8F01B8D6D2FA4618488EE66A6D6D41E8622C
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\QtQml\plugins.qmltypestext
MD5:1045BA3D27D7A09B3785B0B94DA86BF6
SHA256:5A04C42765817590BEE3943F7FB8E14F37A75DCBE58EDA8C8F3F354CCE5509DB
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\modern_shadowsocks.jsontext
MD5:58DE1F95261F81AA10D95924310BE96C
SHA256:6E7ABEB4D01261A0E6A89FD02C5341502E91251B7551C5E69162DE36B90417FA
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\QtQml\WorkerScript\qmldirtext
MD5:594F73B44C4C95058F62B7A98FEA3E04
SHA256:683CB51777C8F8265006547674ABFF5E22FF5AEF4FD170B58BED6AE82627699A
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\QtQuick\Controls\Basic\ActionGroup.qmltext
MD5:0DA388B06343DF8FB3C2D5DAD745F8DA
SHA256:5A586C8722DA8B1EA2CFD87AD75D08B08CBC50127A2C82121A78B512DDF8E754
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\Qt\labs\platform\plugins.qmltypestext
MD5:2006D4B7D0DA455AA4C7414653C0018A
SHA256:A96C7BF5832767BDC9D91E2290A3920AEC3ABFBF2E3814BCE38B49483F16F84A
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\architecture.txttext
MD5:0027F42E1E5DFCB4FD5F8F9C6DB89AF3
SHA256:7520B5A1B312EFDE4FD7E2793EF4BC0CF8F1C235F778D203AB7216A0E31B3880
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\LICENSE.txttext
MD5:50B53397867963369D87695B4E70BE7F
SHA256:6EB99D0D071493B43AF549145F3CC311EB8EF593B4FB2D8C9E8A8743255FDA6B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
53
DNS requests
10
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
172.64.147.163:443
https://api.privateinternetaccess.com/api/client/status
unknown
unknown
GET
172.64.147.163:443
https://www.privateinternetaccess.com/clients/desktop/release
unknown
unknown
GET
104.18.159.201:443
https://serverlist.piaservers.net/shadow_socks
unknown
unknown
GET
172.64.150.50:443
https://www.piaproxy.net/clients/desktop/release
unknown
unknown
GET
104.19.240.167:443
https://serverlist.piaservers.net/vpninfo/regions/v2
unknown
unknown
GET
104.18.40.93:443
https://api.privateinternetaccess.com/api/client/status
unknown
unknown
GET
172.64.147.163:443
https://api.privateinternetaccess.com/api/client/status
unknown
unknown
GET
104.18.40.93:443
https://api.privateinternetaccess.com/api/client/status
unknown
unknown
GET
172.64.147.163:443
https://api.privateinternetaccess.com/api/client/status
unknown
unknown
GET
104.18.40.93:443
https://api.privateinternetaccess.com/api/client/status
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3576
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6756
pia-service.exe
45.9.250.46:443
M247 Ltd
AE
unknown
6756
pia-service.exe
146.70.102.2:443
M247 Ltd
AE
unknown
6756
pia-service.exe
104.18.40.93:443
www.privateinternetaccess.com
CLOUDFLARENET
unknown
6756
pia-service.exe
172.64.147.163:443
www.privateinternetaccess.com
CLOUDFLARENET
US
unknown
6756
pia-service.exe
31.171.154.114:443
Keminet SHPK
AL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 216.58.212.174
whitelisted
www.privateinternetaccess.com
  • 104.18.40.93
  • 172.64.147.163
unknown
api.privateinternetaccess.com
  • 172.64.147.163
  • 104.18.40.93
unknown
www.bing.com
  • 104.126.37.130
  • 104.126.37.139
  • 104.126.37.154
  • 104.126.37.128
  • 104.126.37.129
  • 104.126.37.145
  • 104.126.37.176
  • 104.126.37.123
  • 104.126.37.163
whitelisted
serverlist.piaservers.net
  • 104.18.159.201
  • 104.19.240.167
whitelisted
www.piaproxy.net
  • 172.64.150.50
  • 104.18.37.206
unknown
self.events.data.microsoft.com
  • 52.168.117.171
whitelisted

Threats

PID
Process
Class
Message
6756
pia-service.exe
Unknown Traffic
ET JA3 Hash - [Abuse.ch] Possible Trickbot
6756
pia-service.exe
Unknown Traffic
ET JA3 Hash - [Abuse.ch] Possible Trickbot
6756
pia-service.exe
Unknown Traffic
ET JA3 Hash - [Abuse.ch] Possible Trickbot
6756
pia-service.exe
Unknown Traffic
ET JA3 Hash - [Abuse.ch] Possible Trickbot
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pia-windows-x64-3.6.1-08339.exe